ALERT: Update Microsoft products for critical vulnerabilities

Multiple vulnerabilities have been discovered in Microsoft products, several of which could allow for remote code execution or privilege escalation. Updates to address these vulnerabilities are available from Microsoft. These updates should be applied immediately after appropriate testing.

Microsoft has announced numerous new security vulnerabilities across multiple Microsoft products. Successful exploitation of the most severe of these could result in an attacker gaining the same privileges as the logged on user or remotely executing malicious code without user interaction. Microsoft has provided updates to address all of the vulnerabilities. These should be applied as soon as possible after appropriate testing.

News reports indicate that two elevation of privilege vulnerabilities in Windows are being actively exploited in the wild, in some cases these attacks also exploit a Chrome vulnerability to execute arbitrary code. Successful exploitation allows remote attackers to execute arbitrary code with admin privileges on targeted computers after the attacker was able to cause remote code execution through some other means. Several other vulnerabilities patched by this month’s Microsoft updates do allow remote code execution without user interaction or existing access to the system by the attacker.

Apply updates provided by Microsoft immediately after appropriate testing. See Microsoft's links to updates at March 2019 software updates.

This communication is being sent to those across the university who manage machines with Microsoft software on them.

Information Assurance (IA) works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.

IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.

IA provides vulnerability management guidance to the university.

MiWorkspace machines will be patched as soon as possible and will need to be restarted when prompted to ensure all updates have been applied. If you have Microsoft Office, Microsoft Windows, or any of the other products listed in this alert installed on your own devices that are not managed by the university, please check for available updates and install them immediately. We recommend that you set your software to update automatically whenever possible.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

• The fourth horseman: CVE-2019-0797 vulnerability (Kaspersky Lab, 3/13/19)
• Threat Groups SandCat, FruityArmor Exploiting Microsoft Win32k Flaw (Threatpost, 3/13/19)
• Microsoft Releases Patches for 64 Flaws — Two Under Active Attack (The Hacker News, 3/12/19)
• Microsoft March Patch Tuesday comes with fixes for two Windows zero-days (ZDNet, 3/12/19)
• Microsoft Security Update Guide (Microsoft, 3/12/19)
• IA Alert: Update Google Chrome for critical vulnerability (Safe Computing, 3/7/19)